Vulnerabilities Patched in WP Page Builder

On February 15, 2021, the Wordfence Threat Intelligence team began the responsible disclosure process for several vulnerabilities in WP Page Builder, a plugin installed on over 10,000 sites. These vulnerabilities allowed any logged-in user, including subscribers, to access the page builder’s editor and make changes to existing posts on the site by default. Additionally, any logged-in user could add malicious JavaScript to any post, potentially resulting in site takeover.

Wordfence Premium users received a firewall rule protecting against these vulnerabilities on February 15, 2021. Sites still running the free version of Wordfence received the same protection 30 days later, on March 17, 2021.

Full article:

Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild

On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s “Legacy” Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. They estimate that more than 100,000 WordPress sites are using Thrive Theme products that may still be vulnerable.

Patches were released on March 12, 2021 for the vulnerable themes and plugins. WordFence is seeing these vulnerabilities being actively exploited in the wild, and they urge users to update to the latest versions available immediately since they contain a patch for these vulnerabilities.

Full article at:

Update from March 26:

Active Exploitation Continues on Unpatched Thrive Themes


Two Vulnerabilities Patched in Facebook for WordPress Plugin

The WordFence Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites. This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization weakness.

In addition, on January 27, 2021, WordFence disclosed a separately identified vulnerability in Facebook for WordPress that was introduced in the rebranding of the plugin in version 3.0.0. This flaw made it possible for attackers to inject malicious JavaScript into the plugin’s settings, if an attacker could successfully trick an administrator into performing an action such as clicking a link.

Full article:

Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites

 These vulnerabilities allowed any user able to access the Elementor editor, including contributors, to add JavaScript to posts. This JavaScript would be executed if the post was viewed, edited, or previewed by any other site user, and could be used to take over a site if the victim was an administrator.

Full article at

Critical Vulnerability Patched in WooCommerce Upload Files

Please note that this is a separate plugin from the main WooCommerce plugin and is designed as an add-on to that plugin.

All of our current clients are protected against this vulnerability.

The threat researchers at WordFence detailed a critical 0-day vulnerability in the WooCommerce Upload Files plugin that would have allowed attackers to infect and completely take over a website. This vulnerability has been patched in version 59.4, and we recommend that all users update to the latest version of the plugin as soon as possible, which is 60.1 at the time of this writing.

Full article at:

Medium Severity Vulnerability Patched in User Profile Picture Plugin

Discovered 2/15/21, update issues 2/18/21.

User Profile Picture is a plugin designed to allow site owners to upload profile pictures for individual users. By default, WordPress will set a users profile picture to the associated Gravatar, if present, for any given email. This plugin makes it so that user profile pictures can be customized and can override the Gravatar associated with an email address.

One feature the plugin offered was the ability to add user profiles to a post using a Gutenberg block. When adding the block to a post, the plugin made a request for user data to retrieve the users profile picture and username for users with access to the Gutenberg editor in order to add the information to the block. To retrieve this information, the plugin registered the REST API route /mpp/v2/get_users tied to the rest_api_get_users function.

Unfortunately, this REST API endpoint returned more information than was required for its functionality. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.

Full article:

One Ransomware Victim Every 10 Seconds in 2020

A new organization became a victim of ransomware every 10 seconds in 2020 with remote workers experiencing a sharp uptick in threats, according to Check Point.

The security vendor’s 2021 Security Report is compiled from its ThreatCloud intelligence sensor data, its own research and recent surveys of IT professionals.

The report claimed that consumers and organizations face 100,000 malicious websites and 10,000 malicious files every day, with double extortion ransomware in particular on the rise. In Q3 2020, nearly half of all ransomware incidents involved theft of data from the targeted organization.

“Once a single victim is infected, the attackers leverage that person’s old email conversations for malware distribution, forwarding the last email of the thread and adding malicious files as attachments,” the report explained.

Full article:

Multiple Vulnerabilities In Ninja Forms WordPress Plugin Could Allow Site Takeovers Attribution

Some serious security vulnerabilities existed in the Ninja Forms WordPress plugin that risked over a million sites. Exploiting these vulnerabilities could allow an attacker to takeover target websites and redirect incoming traffic to malicious links.

Of course, any sites under management by have already been updated with the latest fixes.

Full article:

WordFence offers free security audits to K-12 public schools using WordPress

Know a K-12 public school using WordPress?

Wordfence is offering free site security audits and site cleaning for public and government-funded schools, now available worldwide. (The original announcement said U.S. only, but apparently they’ve extended it.) Check out their announcement, and please share this offer with a state-funded school, anywhere in the world, that could benefit from their services. uses WordPress

The big buzz in the WordPress community this month is that the new administration is using WordPress to serve

And while you and I probably don’t have anywhere near the manpower behind our sites that the Federal Government can muster to keep one of the most visible – and probably one of the most attacked – websites on the internet safe from all manner of security threats, it’s reassuring to know that they trust it enough for something this important.

So rest assured that YOU have made a good choice in using WordPress.

Is WordPress perfect? Definitely not – no computer program is. Does it hit that sweet spot of balance between ease of use, flexibility, security, and cost? I’d say yes.